1

美好的一天,我是 kubernetes 的新手,并尝试设置我的第一个环境。我想遵循方案:

  • 我的组织有公共 IP (xxxx)
  • 192.168.0.10此 IP使用 win 服务器 + IIS路由到专用 LAN(即)中的服务器。在 IIS 上,我有 URL 重写模块,它充当反向代理
  • 我有 Kubernetes 集群
  • 我有一些服务部署到 k8s
  • 我想使用 SSL 从 Internet 访问此服务,从 let's encrypt 获得

我已经设置了 k8s 集群,部署了 traefik ( v1.7) 入口并配置它们以进行加密(设置http->https重定向,设置 acme 挑战)。这工作正常 - 我可以从 LAN 或 WAN 观察它,并且没有关于证书的警告 - 我看到绿色锁。现在我部署服务(在我的例子中是 graylog)。再次 - 我可以从 LAN 和 WAN 观察它,但在这种情况下,我看到有关证书的警告(它是由 颁发的TRAEFIK_DEFAULT_CERT)。看到这个后,我尝试搜索更多信息,发现我需要 cert-manager。我部署了 cert-manager,创建了让我们加密颁发者(具有 ClusterIssuer 角色),但随后我尝试颁发证书我收到以下错误(在挑战描述中找到):

Waiting for http-01 challenge propagation: wrong status code '404', expected '200'

我的 traefik 配置图:

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-conf
  namespace: kube-system
data:
  traefik.toml: |
    # traefik.toml
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.http.redirect]
        regex = "^http://(.*)"
        replacement = "https://$1"
      [entryPoints.https]
      address = ":443"
        [entryPoints.https.tls]
    [acme]
      email = "mymail@example.xyz"
      storage = "/acme/acme.json"
      entryPoint = "https"
      onHostRule = true
        [acme.httpChallenge]
        entryPoint = "http"
    [[acme.domains]]
      main = "my-public-domain.com"

我也尝试在那里使用通配符:

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-conf
  namespace: kube-system
data:
  traefik.toml: |
    # traefik.toml
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.http.redirect]
        regex = "^http://(.*)"
        replacement = "https://$1"
      [entryPoints.https]
      address = ":443"
        [entryPoints.https.tls]
    [acme]
      email = "mymail@example.xyz"
      storage = "/acme/acme.json"
      entryPoint = "https"
      onHostRule = true
        [acme.httpChallenge]
        entryPoint = "http"
    [[acme.domains]]
      main = "*.my-public-domain.com"
      sans = ["my-public-domain.com"]

我的集群发行者:

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-dev
spec:
  acme:
    email: mymail@example.xyz
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource used to store the account's private key.
      name: example-issuer-account-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: traefik

还有我的测试证书:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: example-com
  namespace: default
spec:
  secretName: example-com-tls
  renewBefore: 360h # 15d
  commonName: logger.my-public-domain.com
  dnsNames:
  - logger.my-public-domain.com
  issuerRef:
    name: letsencrypt-dev
    kind: ClusterIssuer

我有通配符域的 DNS 条目并且可以 ping 它

我的证书卡在状态OrderCreated

Status:
  Conditions:
    Last Transition Time:  2019-10-08T09:40:30Z
    Message:               Certificate issuance in progress. Temporary certificate issued.
    Reason:                TemporaryCertificate
    Status:                False
    Type:                  Ready
Events:
  Type    Reason        Age   From          Message
  ----    ------        ----  ----          -------
  Normal  OrderCreated  47m   cert-manager  Created Order resource "example-com-3213698372"

订单卡在状态Created

Status:
  Challenges:
    Authz URL:  <url>
    Dns Name:   logger.my-public-domain.com
    Issuer Ref:
      Kind:  ClusterIssuer
      Name:  letsencrypt-dev
    Key:     <key>
    Solver:
      http01:
        Ingress:
          Class:  traefik
    Token:        <token>
    Type:         http-01
    URL:          <url>
    Wildcard:     false
  Finalize URL:   <url>
  State:          pending
  URL:            <url>
Events:
  Type    Reason   Age   From          Message
  ----    ------   ----  ----          -------
  Normal  Created  48m   cert-manager  Created Challenge resource "example-com-3213698372-0" for domain "logger.my-public-domain.com"

最后,通过挑战:

Spec:
  Authz URL:  <url>
  Dns Name:   logger.my-public-domain.com
  Issuer Ref:
    Kind:  ClusterIssuer
    Name:  letsencrypt-dev
  Key:     <key>
  Solver:
    http01:
      Ingress:
        Class:  traefik
  Token:        <token>
  Type:         http-01
  URL:          <url>
  Wildcard:     false
Status:
  Presented:   true
  Processing:  true
  Reason:      Waiting for http-01 challenge propagation: wrong status code '404', expected '200'
  State:       pending
Events:
  Type    Reason     Age   From          Message
  ----    ------     ----  ----          -------
  Normal  Started    55m   cert-manager  Challenge scheduled for processing
  Normal  Presented  55m   cert-manager  Presented challenge using http-01 challenge mechanism

我看到有 404 响应,但我不明白它的原因。在我的 IIS 上,我有以下重写规则:让我们加密绕过 - 所有匹配的 url 都.well-known/*重写到 kubernetes 主机。http 到 https - 所有不匹配的 url 让我们加密重定向到 https 子域重定向 - 所有子域请求都重写到 kubernetes。

在我的局域网中,我有自己的 DNS 服务器,所有域my-public-domain.com都有映射到内部地址,所以我可以将公共主机名重定向logger.my-public-domain.com (x.x.x.x)到 internal logger.my-public-domain.com (192.168.0.y)

在挑战活动期间,我在 traefik 仪表板中看到了新的后端和前端。

也许我误解了它应该如何工作,但我希望 cert-manager 使用 let's encrypt 颁发证书,我可以观察我的服务。

4

1 回答 1

1

在您的traefik.tomlConfigMap 中,您将重定向到 HTTPS:

[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"

使用 删除该替换kubectl edit configmap -n kube-system traefik,保存更改,然后重新启动 Traefik pod。那你应该可以走了。使用 Ingress 管理带有注释的重定向,而不是将它们放在 Traefik 配置中。

于 2021-03-28T13:47:21.010 回答